DHS Privacy Committee Finalizes Report on RFID IDs

DHS Secretary Michael Chertoff will soon receive the 15-page advisory report, which the coauthors hope will impact the U.S. government's approach to incorporating RFID technology in identification documents.

The subcommittee wrote the 15-page report to guide Chertoff and Cooney in deciding whether to deploy RFID technology to identify or track individuals for such DHS programs as the PASS cards that will eventually be issued as an alternative to U.S. passports for travel in North America.

The original version of the report, written by the committee's Emerging Applications and Technology Subcommittee, was presented to the full Advisory Committee on June 7, 2006, at a public meeting in San Francisco (see DHS Meeting Draws Comments on RFID). At the time, it received a chilly reception by many representatives from companies selling RFID technology used in identification and credential applications, as well as from technology industry groups, because it came down hard on the use of RFID in identity documents. "We recommend that RFID be disfavored for identifying and tracking human beings," the draft report indicated, citing concerns over the skimming of personal data transmitted over a radio frequency signal, the cost of implementing RF technology and the existence of other authenticating technologies that could be used instead.

The final version of the report comes to a similar conclusion, according to coauthor Jim Harper, a director of information-policy studies for the Cato Institute, though its language has been softened. "I think a lot of the language was toned done, and a lot of assumptions that I feel strongly are true...were left out for the sake of congeniality," he says. One example he points to is the removal of most descriptions of RFID in identity documents as being "a tracking technology." Still, he says, there are no "recognizable substantive changes" to the latest version.

But in his reading of the latest report, Douglas Farry, a managing director and chair of the RFID practice at McKenna Long & Aldridge, a nationwide law firm focusing on the intersection of public policy and technology, sees a more pronounced change in the final draft. "It seems to be a better position than the initial draft, in that the initial draft concluded that the potential benefits [of using RFID in identity documents] were more than outweighed by the potential risks to personal privacy [that the technology presents]. But that's toned down. Now it says that if the DHS is going to use an RFID system, it should do so thoughtfully and carefully."

Both the original and revised reports are roughly the same length, and both share a common architecture and most of the same section and subsection content. However, the original version uses more pointed language. For instance, both versions state that RFID can provide a means of identifying a credential, but not the individual who is presenting it. To authenticate the bearer, they say, one or more biometric scans must be used to prove the credential was issued to the person presenting it. The two versions of the report diverge, however, in regard to the impact that authenticating the bearer would have on the process of RFID use to authenticate the document. "The steps needed to verify the biometric information using today's technology may reduce or negate the speed benefit offered by radio transmission," the revised report states. The original, however, contains the following wording: "Tying RFID to a biometric authentication negates the speed benefit [of using RFID]."